Last week, I wrote about the challenges facing independent insurance agencies to protect their confidential data from hackers. The reality of agencies’ exposure to cyber attacks was made clear at a cyber security event hosted by Travelers last Fall. At that event, the head of Travelers’ cyber insurance unit stated that 60% of all cyber attacks in 2014 were against small to medium sized businesses and that half of all small businesses contacted reported being the target of a such an attack.
While the above facts should concern all agency owners, they also provide an opportunity for agencies to sell cyber insurance to their business customers, who are subject to at least the same and depending on the industry, even greater risk of cyber attack. As might be expected health care, financial services, and retail businesses are the top three targets of such attacks. According to the head of Travelers’ cyber insurance unit, less than 20% of all businesses have cyber insurance. That leaves a lot of room for growth in the sale of what will become, if it is not already, as much-needed an insurance coverage for every business as the BOP policy.
Because it is a relatively new risk exposure, many business owners do not fully understand the extent of that risk. According to the 2015 NetDiligence Cyber Claims Study, the average cyber-related insurance claim was almost $675,000 ($4.8 million for a large company and $1.3 million per claim in the healthcare sector). The study also reported the average cost to a business for every record taken by hackers was about $964. Such costs can be enough to cripple, if not destroy, a small or medium-sized business and should be a wake up call to your business customers.
A recent article in the Property Casualty 360 discussed six best practices to follow when approaching a business customer about the purchase of cyber insurance. The first and probably most important practice is to make the purchase of cyber insurance the main reason for the meeting, instead of the last item discussed at the end of a normal customer review. As with any type of insurance, before the meeting, the agent should do their homework on the possible cyber exposures that exist for the customer, so at that meeting, the agent can use real world examples involving similar businesses to show the customer they are vulnerable and the potential cost to them of a cyber attack.
The agent should also take this opportunity to correct common misconceptions about cyber attacks, the main one being that all that is required to protect against such attacks is better security for their computer network. In fact, many cyber attacks that result in data breaches are due to human error by the employees of the business (e.g., employee responding to phishing e-mails), or a third-party vendor (in one case now in litigation, a vendor hired by a health care company to store its data did not take even the basic steps of changing the default password on some of its software or regularly updating that software as security patches became available). Your business customers also need to know that they remain responsible for a data breach due to the mistakes of a vendor they may have hired to store or protect their data. Any indemnities in an agreement with such a vendor are only as good as the vendor’s insurance coverage or financial condition.
The premiums for cyber insurance coverage in 2015 were over $2 billion and some commentators expect that number to rise to $20 billion by 2025. In such a relatively new and wide open market, there is money to be made by those agents who seize the opportunity presented.